CTF-CheatSheet

last modified: Nov 2023
my CTF writeups

overall useful website/tools

• hacktricks.xyz reference book

– web –

• webhook.site to get request bin
• dirsearch to brute force directory
• GitTools to pull git repo from public website, if .git is exposed
• php_filter_chain_generator to generate php filter chain
• postman to send http requests
• burpsuite to intercept http request packages
• wireshark to capture/analyse network traffic

– rev –

• disasm.pro to disassemble bytecode online
• fernflower to decompile java bytecode, made by JetBrains
• angr to get solution of input or sth

–misc –

• z3 to find solution under constrains
• dcode to decode anything

–forensics / osint –

• saucenao to search for image source
• aperisolve.com do stego for image online
• photo-forensics do stego for image online
• stegseek crack jpeg password
• exiftool print out EXIF
• maigret to search for social media account, one of forks of sherlock
• F5 a common F5 implementation
• autopsy a GUI tool for forensics
• volatility a CLI tool for forensics memory dump
• zsteg to do stego for PNG/BMP

– crypto –

• RsaCtfTool to attack RSA
• hashclash for MD5 collision
• hashcat to attack hash
• yafu to factorize number
• John the Ripper jumbo to crack password

– pwn –

• checksec.sh to check binary security properties
• gef very useful GDB plugin
• pwntools utility for pwn in python

– I don’t know where to put –

• gtfobins to search for binaries that can be used to get root shell under certain conditions
• revshells.com to generate reverse shell code
• PEASS-ng to enumerate windows/linux privilege escalation

Web

DOM Clobbering

• blink SECCON CTF 2023

Cascading

• CSS Font Cascading People can use unicode-range to do cascading.
• Font side-channel Font Review BuckeyeCTF 2023 - use linguistics to make page overflow in order to leak the flag char by char.
• STTF reference, basically, use :target in style in order to send request if the scroll to text fragment part is matched.

NoSQL Injection

• the input is in JSON and use regex Area51 BuckeyeCTF 2023

JWT

• RS256 to HS256 certs BuckeyeCTF 2023

JSDom jail

• Optimized Admin Bot vsCTF 2023 spawnSync to do RCE, require process and spawn_sync.

python jail / pyjail

• starship CrewCTF 2023 character limit: @^_":,. and acsii letters; type: @__build_class__.__self__.exec\r@__build_class__.__self__.input\rclass\x0cx:pass.
• Bonus_The_Revenge_of_Checkpass_1 BxMCTF 2023 eval(inp, {'__builtins__': None}, None); type: ().__class__.__bases__[0].__subclasses__().
• Username_Decorator BxMCTF 2023 Flask escape; type: ().__class__.__bases__[0].__subclasses__().
• 'f{32:c}' can format an int to char (equalivant to chr(32)).

CORS bypass

• makes-sense ASIS-ctf-qual 2023 use shadow dom to let inside iframe access parent‘s document by shadowContainer.attachShadow. Basically is let e.source in window.onmessage = e=>(e.source == top && e.source.length == 0 ? eval(e.data) : '') is not undefined.

CSP bypass

• hacktricks.xyz check this website for more CSP bypass tricks.
• JS polygots, embed JavaScript code in multiple languages image file. Then use <script charset = "ISO-8859-1" src=url></script> to call those JavaScript Code. Refers: js jpeg polyglot script and Bypassing CSP using polyglot JPEGs.

JavaScript Jail

• inside of function: use var process=this.constructor.constructor("return process;")(); to get process object. Then use var require = global.require || global.process.mainModule.constructor._load;, the script here spawnSync.js, or even this.require to get RCE.

Misc

find solution under constrains

Use z3-solver, e.g. based emoji hackasat qual 2023

Rev

Angr to find solution for input

• Homework Help WolvCTF 2023
• Angry BuckeyeCTF 2022